Introduction
narrowapi is a proxy that wraps third-party API calls in scoped, safe endpoints for AI agents. Instead of giving an agent a raw API key with full access, you create an action that exposes only the fields the agent needs.
narrowapi ┌────────────────────────┐ │ │ Agent ──POST──▶ │ /x/{id} (proxy) │──▶ Downstream API │ │ (Resend, Stripe, …) │ /api/v1/* (mgmt) │ │ │ Human ────────▶ │ /* (dashboard) │ │ │ └────────────────────────┘
Key concepts
Action
A scoped proxy endpoint that wraps a single downstream API call. Each action defines the target URL, HTTP method, authentication, which input fields the agent can fill in, and a body template that merges agent input with server-side values.
Token
A scoped credential (sxt_…) that grants an agent access to one or more actions. Tokens can be revoked instantly without affecting other agents or your downstream API keys.
Proxy endpoint
The POST /x/{action_id} endpoint. When an agent calls it with a valid token and matching input, narrowapi validates the payload, merges it into the body template, injects server-side credentials, and forwards the request to the downstream API.
What narrowapi protects
API keys and auth headers are AES-256-GCM encrypted at rest. They never appear in agent prompts, logs, or network traffic.
Agents can only call the specific endpoints you define. An email-sending agent cannot access billing, customer data, or any other API surface.
Per-minute and per-hour rate limits on every action. If an agent enters a loop, rate limiting stops it before real damage happens.
Every proxy call is logged with request body, response status, duration, and IP address. Full audit trail at a glance.
Free plan
- Up to 5 active actions
- Up to 300 executions per month
- Full audit log, encryption, rate limiting, and scoped tokens
- No credit card required